Which Debian patches fixes shellshock lcamtuf CVE-2014-6277 and CVE-2014-6278?

Question

Note that this question is definitely not a duplicate of: When was the shellshock (CVE-2014-6271/7169) bug introduced, and what is the patch that fully fixes it?

According to:

https://security-tracker.debian.org/tracker/CVE-2014-6277

CVE-2014-6277 is fixed in wheezy (security) by bash package: 4.2+dfsg-0.1+deb7u3

Yet if I run a bash shell script to test for six different shellshock exploits on my Debian system which has that Bash version 4.2+dfsg-0.1+deb7u3, I get this output:

Testing /bin/bash ...
GNU bash, version 4.2.37(1)-release (x86_64-pc-linux-gnu)

Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Not vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Vulnerable to CVE-2014-6277 (lcamtuf bug #1) [no patch]
Vulnerable to CVE-2014-6278 (lcamtuf bug #2) [prefix/()-suffix]
Variable function parser inactive, likely safe from unknown parser bugs

The shell script is here (run at your own risk but it looks legit):

https://github.com/hannob/bashcheck/blob/master/bashcheck

And people on IRC have reported other scripts reporting unfixed shellshock-related vulnerabilities too...

There are two possibilities here: either the script wrongly report 6277 and 6278 as still vulnerable or https://security-tracker.debian.org/tracker/CVE-2014-6277 is wrong (at the time where I write this).

Which is it?

What Debian patch does fix 6277 and 6278?

This question appears not to be useful to future visitors because it is about confusing output from a program that was fixed within 24 hours. — Gilles 'SO- stop being evil', Oct 02 '14 at 20:27

score 2 · Answer 1 · answered Oct 02 '14 at 08:52

Debian applied various patches to bash version in wheezy(-security) which also prevents CVE-2014-6277 and CVE-2014-6278 to be exploitable.

See https://github.com/hannob/bashcheck/blob/master/README.md how to interpret your result.

My output of the (probably updated) bashcheck script on Debian is:

Testing /bin/bash ...
GNU bash, Version 4.2.37(1)-release (x86_64-pc-linux-gnu)

Variable function parser pre/suffixed [(), redhat], bugs not explitable
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Not vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Found non-exploitable CVE-2014-6277 (lcamtuf bug #1)
Found non-exploitable CVE-2014-6278 (lcamtuf bug #2)

The (shortened) changelog of the deb7u3 security releases is

bash (4.2+dfsg-0.1+deb7u3) wheezy-security; urgency=high

  * Add variables-affix.patch patch.
    Apply patch from Florian Weimer to add prefix and suffix for environment
    variable names which contain shell functions.
  * Add parser-oob.patch patch.
    Fixes two out-of-bound array accesses in the bash parser.

bash (4.2+dfsg-0.1+deb7u2) wheezy-security; urgency=high

  * Add CVE-2014-7169.diff diff.
    CVE-2014-7169: Incomplete fix for CVE-2014-6271. (Closes: #762760, #762761)

bash (4.2+dfsg-0.1+deb7u1) wheezy-security; urgency=high

  * Apply patch from Chet Ramey to fix CVE-2014-6271.

Which Debian patches fixes shellshock lcamtuf CVE-2014-6277 and CVE-2014-6278?

1 Answers1